Use customer-managed encryption keys (CMEK) for continuous migrations

This page describes how customer-managed encryption keys (CMEK) work with Database Migration Service migration jobs.

By default, Database Migration Service (for Oracle to AlloyDB for PostgreSQL) encrypts customer content at rest. Database Migration Service (for Oracle to AlloyDB for PostgreSQL) handles encryption for you without any additional actions on your part. This option is called Google default encryption.

If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) in Cloud KMS with CMEK-integrated services including Database Migration Service (for Oracle to AlloyDB for PostgreSQL). Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also lets you track key usage, view audit logs, and control key life cycles. Instead of Google owning and managing the symmetric key encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.

After you set up your resources with CMEKs, the experience of accessing your Database Migration Service (for Oracle to AlloyDB for PostgreSQL) resources is similar to using Google default encryption. For more information about your encryption options, see Customer-managed encryption keys (CMEK).

Regions where Database Migration Service supports CMEK

CMEK is available in all Database Migration Service locations.

CMEK with Cloud KMS Autokey

You can either create CMEKs manually to protect your Database Migration Service (for Oracle to AlloyDB for PostgreSQL) resources or use Cloud KMS Autokey. With Autokey, key rings and keys are generated on demand as part of resource creation or update in Database Migration Service (for Oracle to AlloyDB for PostgreSQL). Service agents that use the keys for encrypt and decrypt operations are created if they don't already exist and are granted the required Identity and Access Management (IAM) roles. For more information, see Autokey overview.

Understand service accounts

When your Database Migration Service migration jobs have CMEK enabled, you need to use a service account to request key access from Cloud Key Management Service.

To use a CMEK on a project, you must have a service account and you must grant the key access to the service account. The service account must exist inside of the project. The service account is visible in all regions.

Understand keys

In Cloud Key Management Service, you need to create a keyring with a cryptographic key, set with a location. When you create a new migration job in Database Migration Service, you select this key to encrypt the migration job.

You need to know the key ID and key region when you create new migration jobs that use CMEK. You must put the destination databases in the same region as the CMEK associated with the migration job. You can create one project for both keys and destination databases, or different projects for each.

CMEK uses the following format:

projects/[CMEK_ENABLED_PROJECT]/locations/[REGION]/keyRings/[RING_NAME]/cryptoKeys/[KEYNAME]

How do you make CMEK-encrypted data inaccessible permanently?

You might have situations where you want to permanently destroy data encrypted with CMEK. To do this, you destroy the CMEK version. You can't destroy the keyring or key, but you can destroy key versions of the key.

Restrictions

The following restrictions apply when using CMEK:

• You can't update CMEK on a running migration job.

• Although you can use CMEK to encrypt data from the source database, you can't use these keys to encrypt any migration job metadata, such as the migration job ID, IP address of the source database, and so on.

Use CMEK

The following sections describe how to set up CMEK for

Before you begin

1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

   Go to project selector

3. Make sure that billing is enabled for your Google Cloud project.

4. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

   Go to project selector

5. Make sure that billing is enabled for your Google Cloud project.

6. Install and initialize the Google Cloud CLI.
7. Make sure that you have the Database Migration Admin role assigned to your user account.

   Go to the IAM page

8. Enable the Cloud Key Management Service API.

   Enable the API

9. Enable the Database Migration Service API.

   Enable the API

Workflow to create migration jobs in Database Migration Service with CMEK

1. gcloud CLI and API users only: Make sure that you have a service account for each project that requires CMEK. For more information, see Create a service account.

2. Create a keyring and key, and set the location for each key. The location is the Google Cloud region.

3. Grant the key access to the service account.

4. Copy or write down the key ID (KMS_KEY_ID) and location for the key, and the ID (KMS_KEYRING_ID) for the keyring. You need this information when granting the key access to the service account.

5. Go to a project, create a migration job in Database Migration Service, and use your CMEK in the Advanced encryption options section.

Your migration job in Database Migration Service is now enabled with CMEK.

Create a service account

You need to create a service account for each project that requires CMEK. To allow a user to manage service accounts, grant one of the following roles:

• Service Account User (roles/iam.serviceAccountUser): Includes permissions to list service accounts, get details about a service account, and impersonate a service account.
• Service Account Admin (roles/iam.serviceAccountAdmin): Includes permissions to list service accounts and get details about a service account. Also includes permissions to create, update, and delete service accounts, and to view or change the Database Migration Service (for Oracle to AlloyDB for PostgreSQL) policy on a service account.

You can use only gcloud CLI commands to create the type of service account you need for CMEK.

To create a service account with gcloud CLI, run the following command:

gcloud beta services identity create \
--service=datamigration.googleapis.com\
--project=PROJECT_ID

The previous command returns a service account name. You use this service account name during the procedure in Grant the key access to the service account.

Create a key

You can create the key in the same Google Cloud project as the migration job in Database Migration Service, or in a separate user project. The Cloud KMS key ring location must match the region of your destination database associated with the migration job. A multi-region or global region key isn't supported. If the regions don't match, then you can't create the migration job.

To create a Cloud KMS key:

Grant your service account access to the key

You only need to perform this procedure if you're using gcloud CLI or the API.

To grant access to the service account, use the following code:

gcloud kms keys add-iam-policy-binding KMS_KEY_ID \
--location=REGION \
--keyring=KMS_KEYRING_ID \
--member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-datamigration.iam.gserviceaccount.com \
--role=roles/cloudkms.cryptoKeyEncrypterDecrypter

Create a migration job in Database Migration Service with CMEK

As part of creating a migration job in Database Migration Service, you can use your CMEK to manage the encryption of your data.

Disable and re-enable key versions

See the following topics:

• Disable an enabled key version
• Enable a disabled key version